All records related to the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.

A July 2013 "Continuous Improvement Plan," prepared for updates and improvements to the healthcare.gov website, defines the "Change Control Board" as a provider of final approval on new features and "politically sensitive issues."

The documents reveal that Mitre recommended a "Denial Authorization to Operate" in the month prior to Obamacare's launch, noting that it could not adequately test the confidentiality and integrity of the system. It said that complete end-to-end testing of the system never occurred. Miter found that 11 "moderate" security findings and eight "low" findings remained open as September 19, 2013 – 12 days before the launch.

And an unsigned "Authorization to Operate" prepared just five days before Obamacare's launch, indicates that the site's "validation contractor" was "unable to adequately test the confidentiality and integrity of the [Federally Facilitated Marketplace] system in full." That contractor, Blue Canopy, noted that they were able to access data "that should not be publically accessible."

On October 1, Americans started shopping for health insurance on healthcare.gov, and the site crashed.

In an October 2013 email exchange requesting help with an upcoming test, healthcare.gov IT security Chief Tom Schankweiler complained of a lack of a "grand strategy" in security testing the Obamacare website. Schankweiler complained about hackers hitting the site, and noted that confidential information was "growing legs and growing way beyond the normal borders." Fryer agreed with Schankweiler, and also noted "conflict of interest issues" in the security testing.

In November senior CMS official Jon Booth discusses "a contingency system" for higher Obamacare enrollments that CMS Office of Administration wanted "kept under the radar" and "out of the spotlight, even from an internal perspective." George Linares responds to Booth, noting that healthcare.gov was still operating without an "Authorization to Operate," and that the "contingency system" meant they needed a plan to "close the security gap as well."

Among the released documents is a November draft press background briefer, in which CMS officials crossed out a line that read that consumers could "trust that the information that they are providing is protected by stringent security standards" and a line that the ACA website was "compliant with the Federal Information Security Management Act."